12-22-2008 07:11 AM - edited 03-06-2019 03:05 AM
I would like to find out if there is a good way to prevent or alert when someone adds a switch or hub to a port that should only have a PC and/or VoIP phone?
Mike
12-22-2008 07:14 AM
The right answer would be "Use port security". The best answer would be "Use 802.1x authentication".
12-22-2008 07:26 AM
Thanks. I checked a little of both and I may just try the Port security. Any things to watch out for? Would I set the max mac-addresses to be 2 if I have a phone and PC? Also, I don't want to lock it to a specific Mac-address as I have people change offices what would be the best way to do that? Also can I set it up so the first mac-address is the one that can pass traffic but any others the traffic just gets droped, I don't want to shut the port down?
Mike
12-22-2008 07:35 AM
Yup, you can configure it so port learns first mac address in use and stick to it as long as it's active and then either age it out or keep for always.
To cause port just to drop traffic from consecutive learned mac addresses:
2 mac addresses for PC+phone are also correct though it may raise some obvious issues if you won't configure static mac addresses on port.
For mobile users 802.1x is an ace. :)
12-22-2008 08:05 AM
I am slow.....what obvious issues?
Mike
12-22-2008 08:21 AM
You can connect some other devices instead of regular ones if there is no static mac or sticky mac ages out.
And the previous poster has a very good point, router will hide everything hidden behind it, so you kind of need static macs or sticky ones which do not age.
12-22-2008 08:33 AM
Ok...that is what I thought but wanted to make sure I was not missing anything.
Mike
12-22-2008 08:02 AM
You might also want to investigate setting the TTL such that when someone plugs in a SOHO router (because now they'll need to NAT to get extra ports)the TTL will expire (one more router, TTL decrements, hits zero ... no connection)
Sometime you have to get extreme to foil the determined users ....
Good Luck, Happy Holidays!
Scott
12-22-2008 08:35 AM
I need some help understanding this one. Where can I find more information on the TTL settings so I don't cause issues with the Phones or the PC that is supposed to be connected.
Also are there any gotch ya's?
Mike
12-22-2008 08:50 AM
12-22-2008 10:28 AM
Thanks. I will work on this information.
Mike
12-22-2008 10:58 AM
The only real gotcha is administrative; you pretty much have to tailor the TTL for each branch of the network (or, at least the ones you want to control ... not all branches require strict control ... think "Your Boss, your Bosses' boss, etc).
Unless your network is of consistent radius / hops-per-branch, you'd need to tweak them individually.
If you traceroute from a host in each branch, you'll get an idea of where to start your TTL count. If it takes 3 hops to hit the gateway, a TTL of three should be your number.
Also ... TTL for INBOUND ONLY ... an outbound TTL setting would limit your reach for Internet access. In that vein, if you wanted to limit access to your internal network / Intra-net and have designed to that end (i.e., central resources are a consistent hop count from each client), you can restrict access to the internal network by limiting the outbound (from the host) TTL ... it might save you some ugly ACL work.
Everyone's networks are different, ya gotta go with what works for you.
Good Luck, Happy Holidays!
Scott
12-22-2008 10:30 AM
Thank you for your help.
Mike
12-23-2008 05:45 AM
PC+Phone requires a minimum of 3 MAC Addresses. There is the MAC of the PC, the MAC of the switchport on the phone, and the MAC of the PC port on the phone. ou need to change port-security to a maximum of 3 MAC addresses.
12-23-2008 05:56 AM
Thanks for the info. I will be testing with in the week or so.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide